Bugzilla – Bug 1215715
VUL-0: CVE-2023-5129: libwebp: With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap
Last modified: 2023-09-26 09:35:10 UTC
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5129 https://chromium.googlesource.com/webm/libwebp/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76 https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a
this is already tracked internally via bsc#1215231, marking as duplicate *** This bug has been marked as a duplicate of bug 1215231 ***